A serious security flaw has been identified in the popular and widely used TI WooCommerce Wishlist plugin, which provides additional features for WooCommerce stores including wish list features. Security researchers at Patchstack, a cloud cybersecurity discovered that the plugin is vulnerable to an unauthenticated arbitrary file upload, allowing attackers to upload malicious filesDthat could be executed remotely, leading to complete site takeover.
This vulnerability is accessible only if the WC Fields Factory plugin is enabled and actively integrated with TI WooCommerce Wishlist. It’s tracked as CVE-2025-47577 and affects versions up to 2.9.2, which is active on over 100,000 websites, according to the WordPress plugin directory.
Root of Issue
The vulnerability hinges on how the plugin handles file uploads, particularly when integrated with the WC Fields Factory extension. At its core, the problem lies in the function tinvwl_upload_file_wc_fields_factory(), which leverages WordPress’s wp_handle_upload() function. Attackers could use this pathway to upload malicious files such as PHP scripts and trigger remote code execution on the server, effectively giving them control over the affected website.
Under normal circumstances, wp_handle_upload() performs validation to ensure only safe, expected file types are accepted. However, the plugin’s code explicitly sets the ‘test_type’ parameter to false, which disables that validation. So the function will accept and process any file type, including executable scripts like PHP files. An attacker can exploit this by uploading a malicious PHP script through the wishlist interface or related forms, then executing it remotely by accessing the uploaded URL.
Allowing unauthenticated users to upload and execute arbitrary files is a critical security risk. Once an attacker manages to upload a malicious script, they can run it on the server, potentially gaining full control over the website, accessing sensitive customer data, or even pivoting to other parts of the hosting environment.
As of now, the latest available version of the affected plugin is 2.9.2, which contains the vulnerability. No patch has been released yet, so store owners and developers are advised to halt use if not critical, deactivating and remove the plugin until an update is issued. To prevent data loss until a fix is available, take a full backup of your WordPress website.
This incident is another example of how a small misconfiguration can open the door to severe exploits. As WordPress and WooCommerce plugins grow in complexity and numbers, thorough review and embedding security best practices into development as well as the implementation processes are more critical than ever.
Check out Patchstack’s security report for more information and updates on their website here.
Leave a Reply